Notification, reporting part of new rules under the Health Information Technology for Economic and Clinical Health Act

Over the past three years, about 21 million patients have had their medical records exposed in data security breaches that were big enough to require they be reported to the federal government.

Since Sept. 2009, 477 breaches affecting 500 people or more each have been reported to the Office for Civil Rights (OCR) under the U.S. Department of Health and Human Services. In total, the health records of 20,970,222 people have been compromised, the OCR said.

The Office for Civil Rights has been updating a list of the breaches on its website. The list is known to the health care industry as "The Wall of Shame," according to the OCR.

Six health care organizations listed on The Wall of Shame reported security breaches that involved one million or more records.

Among the largest breaches reported was TRICARE Management Activity, the Department of Defense's health care program, which reported 4.9 million records lost when backup tapes went missing. TRICARE, formerly known as Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), provides civilian health benefits for military personnel, military retirees, and their dependents.

Other major breaches included: Health Net, which reported 1.9 million records lost when hard drives went missing; the New York City Health & Hospitals Corporation's North Bronx Healthcare Network, which reported the theft of 1.7 million electronic medical records; AvMed Health Plans in Florida, which reported the theft of a laptop with 1.22 million patient records; and Blue Cross Blue Shield of Tennessee, which reported the theft of an external hard drive with 1.02 million records.

WellPoint, the largest managed health care company in the Blue Cross and Blue Shield Association, also reported 31,700 of its customer records were compromised during the three-year time period. WellPoint's breach occurred via a hack to a network server, according to the report.

The Nemours Foundation, a health care organization that runs children's hospitals, also reported the loss of 1.05 million records when data backup tapes were lost.

The breach notification and reporting is part of new rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. The rules not only require the public reporting of breaches but also increased penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA), which requires organizations to safeguard patient information.

About 55,000 breach reports involving fewer than 500 records where also reported to the OCR from 2009, according to Rachel Seeger, a senior health information privacy specialist with OCR.

Theft made up 54% of the breaches, while hacking made up only 6% of the compromised data. Theft was followed by unauthorized access or disclosure for 20%, lost records and devices for 11%, improper disposal of records made up 5% and other/unknown categories made up 4%.

The sheer inevitability of having similar issues in Australia led me to see where we are here:

This seemed to be a useful summary from the Privacy Commissioner (from a press release of 1 July, 2012):

Background information

The Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) provides strict controls on the collection, use and disclosure of health information included in an individual's eHealth record. A collection, use or disclosure which is not authorised by the legislation is both a contravention of the PCEHR Act and an interference with the privacy of the individual under the Privacy Act 1988. The legislation also imposes mandatory data breach notification obligations on the System Operator, repository operators and portal operators. (Emphasis mine)

The OAIC regulates the handling of personal information under the eHealth record system by individuals, Australian Government agencies, private sector organisations and some state and territory agencies, instrumentalities and authorities (in particular circumstances).

The OAIC's regulatory role includes investigating complaints about the mishandling of health information in an eHealth record, as well as conducting 'own motion investigations'. Along with the System Operator, the OAIC will also accept data breach notifications and assist affected entities to deal with data breaches in accordance with the legislative requirements.

The OAIC will have a range of enforcement powers available to it following an investigation, including:

the power to seek civil penalties

the power to seek an injunction to prohibit or require particular conduct

What is not clear from this is what the Privacy Commissioner does (or is intended to do) when notified of a data breach.

What would be hoped for would be that all those affected would be told - but there does not seem to be much clarity just yet. It could be that the Enforcement Guidelines will provide that detail. I hope so.

The US approach of compulsory notification and reporting of breaches that affect more than 500 individuals seems sensible.

The other gap in all this is just how those other than repository operators will be expected to handle breaches, how they may be penalised and what help they will be given is presently not all that clear other than this:

Healthcare providers should be aware of the following information:

Know your obligations under the PCEHR Act: there are serious penalties if you don’t comply

Understand that while there are new obligations for information stored on the eHealth record system, you must continue to comply with your current legal obligations

Develop robust processes for handling eHealth records and ensure staff are adequately trained to follow them

Tell your patients about what information you intend to add to and access from their eHealth record and explain what you will do with the information

Ensure that you do not collect more information from an eHealth record than is necessary

Collect, use and disclose information in a patient’s eHealth record only for the limited and authorised purposes allowed under the eHealth record system

Know how the eHealth record system can be used in an emergency situation

I am not sure that saying you need to know the legislation is good enough! Maybe a summary of the key additional points contained in the legislation might help along with a clear summary of all the potential obligations (and where to get help) would be pretty useful. Of course all this should have been sorted out ages ago.

On the same topic this is a long feature article from Health Data Management that is also well worth a browse to see the facts and fictions in the area:

Since the breach notification rule became effective two and a half years ago, the HHS Office for Civil Rights has logged more than 31,000 breaches of protected health information. Of those, 500 breaches have been "major"-each affecting at least 500 individuals-with several affecting more than 1 million. The major breaches have generally occurred outside a health care facility's walls and resulted from a laptop or backup tapes being lost or stolen, or a hard drive or paper records improperly disposed.

But internal threats to protected health information-when employees snoop into medical records of co-workers or VIPs, bring in unauthorized mobile devices, make configuration changes to information systems, send unencrypted information in e-mails to legitimate outside recipients, or unknowingly access a rogue Web site-are far more common than the big breaches that make headlines, I.T executives say.

The University of Arizona Health Network in Tucson had snooping incidents when former Rep. Gabby Giffords was being treated for gunshot wounds following a shooting spree at a meeting with constituents, says Jeffrey MacEwen, the health system's information assurance officer. Some snoopers tried to get around internal security by jumping on workstations and checking Gifford's records after co-workers walked away without logging out of their sessions, he recalls.

Three-hospital Beaumont Health System in Royal Oak, Mich., has terminated a handful of employees this year because they were found to have pulled records of co-workers or VIPs, says Doug Copley, director of corporate information services and information security officer.

While there's always a handful of employees who are criminally curious, most internal breaches of PHI are unintentional, such as an employee transferring records to a flash drive or sending records to a personal e-mail account to work on them from home, or even sending records to a peer for advice, Copley says. "Things happen and most of the time it's not malicious, it's people not knowing the right way to secure the information."